Logical Methods in Computer Science 
Vol. 6 (1:2) 2010, pp. 1-35 
www.lmcs-online.org 



Submitted May. 14, 2009 
Published Jan. 12, 2010 



A GRAPH MODEL FOR IMPERATIVE COMPUTATION 



GUY MCCUSKER 



Department of Computer Science, University of Bath, Bath BA2 7AY, United Kingdom 
e-mail address: G.A.McCusker@bath.ac.uk 



Abstract. Scott's graph model is a lambda-algebra based on the observation that con- 
tinuous endofunctions on the lattice of sets of natural numbers can be represented via their 
graphs. A graph is a relation mapping finite sets of input values to output values. 

We consider a similar model based on relations whose input values are finite sequences 
rather than sets. This alteration means that we are taking into account the order in 
which observations are made. This new notion of graph gives rise to a model of affine 
lambda-calculus that admits an interpretation of imperative constructs including variable 
assignment, dereferencing and allocation. 

Extending this untyped model, we construct a category that provides a model of typed 
higher-order imperative computation with an affine type system. An appropriate language 
of this kind is Reynolds's Syntactic Control of Interference. Our model turns out to be 
fully abstract for this language. At a concrete level, it is the same as Reddy's object spaces 
model, which was the first "state-free" model of a higher-order imperative programming 
language and an important precursor of games models. The graph model can therefore be 
seen as a universal domain for Reddy's model. 



This paper is an investigation into the semantics of imperative programs, using a style of 
model first proposed by Reddy [TI5]. Reddy's model was a significant development, because 
it was the first to model imperative programs without the use of an explicit semantic 
entity representing the store. Instead, programs are interpreted as "objects" (in Reddy's 
terminology) which exhibit history-sensitive behaviour. The store is not modelled explicitly; 
instead one models the behaviour that results from the use of the store. 

This new approach turned out to be the key to finding models that are fully abstract: 
that is, models whose equational theory coincides with the operationally defined notion 
of program equivalence. The first such models for higher-order imperative programming 
languages to be discovered were based on game semantics [21 Q]. Although these models 
used several ideas from Reddy's work, it was not known whether Reddy's model was itself 
fully abstract for the language SCI which it interprets. 

In this paper, some of which is a much extended exposition of work first presented 
in [13], we show that Reddy's model is indeed fully abstract. But more than this, we argue 
that it arises from a straightforward modification of Scott's well-known Vlu graph-model of 
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the A-calculus [22]. Just as in Scott's work, we develop a model in which every type-object 
appears as a retract of a universal object, and it turns out that these retractions are all 
definable in a slightly extended SCI language. Thus the language has a universal type, 
which leads to a very cheap proof of full abstraction. With some additional effort, we show 
that the extensions required to establish this universal type are in fact conservative, that is, 
they do not alter the notion of program equivalence. Therefore the original model is itself 
fully abstract. 

We should remark that the work required to establish conservativity of one of these 
extensions amounts to a partial definability result which would be enough to prove full ab- 
straction of the original model directly; indeed, that is what was done in [13]. Nevertheless, 
we believe that the presentation in terms of conservativity is useful, not least because of 
the ease of establishing full abstraction for the extended language. 

1.1. Related work. The utility of a universal type for establishing properties of a model is 
well-known, and was explained in detail by Longley [11] . The central idea of this paper, of 
modifying Scott's graph model to record slightly different information, has also been used by 
Longley in |12] to obtain a model of fresh name generation. A similar model construction 
has been investigated by Hyland et al. [7]. We shall remark further on the connections 
between these papers and our present work below, although we leave closer investigation 
for future work. 

The denotational semantics of SCI was first treated by O'Hearn [17] using functor 
categories. Reddy's model [19] was the first to avoid the explicit use of a store-component 
in the mathematical model, but as mentioned above this model was not known to be fully 
abstract until a preliminary version of the work being reported here appeared [13] . Joint 
work of the present author and Wall [23J developed a game semantics for SCI and estab- 
lished a full abstraction result. Laird [9] analysed the fully abstract relational model to 
show that equivalence of programs in a finitary fragment of SCI is decidable, but obser- 
vational approximation is not, and went on to construct a fully abstract games model of 
a version of SCI with control operators, establishing decidability of both equivalence and 
approximation. The SCI type system itself has been refined and extended in two ways: 
first by Reynolds, using intersection types [21] , and then by O'Hearn et al. [15], using a 
novel system with two-zone type judgements. 

1.2. Acknowledgments. The author is very grateful to the many researchers with whom 
he has discussed this work, including Martin Churchill, Jim Laird, John Longley, Ana Car- 
olin Martins, Peter O'Hearn, John Power and Uday Reddy. The comments of anonymous 
referees were very useful in the preparation of the final version of the paper. The author 
also benefitted from the support of two EPSRC research grants during the development and 
preparation of this paper. 

2. Scott's Vuj model 

We begin with a brief review of Scott's Vuj graph model of the A-calculus, which ap- 
peared in the seminal paper Data Types as Lattices |22j. 
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Let Voj denote the lattice of sets of natural numbers, ordered by inclusion. A continuous 
function / : Voj — > Voj is determined by its action on finite sets. Therefore, such an / is 
determined by the set 

graph(/) = {(S,n) | S C fin u,n G oj,n G f(S)}. 

Conversely, let G be a set of pairs (S,n) with S C fin ui and n G ui. We can define a 
continuous function fun(G) : Voj — > Voj by 

fun(G)(5) = {n | 3S' C 5.(5', n) G G} 

and it is clear that for any continuous /, fun(graph(/)) = /. 
Let code(— ) be any injective encoding 

code : Vf\ n 0J x u — > to. 

Writing [Voj — > Voj] for the complete partial order of continuous functions from Voj to itself, 
the mapping 

/ ^ {code(5,n) | (S,n) G graph(/)} 
is a continuous function [Voj — > Voj] — > Voj, and 

S h-> fun({(5',n) | code(S',n) G 5}) 
is a continuous function Pw — )• ["Pa; — s> Voj] . These two mappings therefore form a retraction 

[Voj -> Pw] < Pw 

in the category of domains and continuous functions, so that Voj is a reflexive object in this 
category, and thus a model of untyped A-calculus. For more details on how reflexive objects 
are used to model A-calculus, see Barendregt [I]. 

Scott in fact worked in the other direction: from the Voj model he defined a category 
in which to work, using the Karoubi envelope (see for example |10| ) of the monoid of 
endomorphisms of Voj. One way of presenting this monoid is as follows. Its elements are 
graphs of continuous functions from Voj to itself; explicitly, an element a is a set of pairs 
(S, n), where S C fin oj and n G u>, such that 

(S, n) G a A S C S' (S' , n) G a. 

(It is easy to verify that these are exactly the image of the graph(— ) function.) The monoid 
operation is the graph representation of function composition, which can be defined by 

k 

a ■ b = {([J Si, n) j 3mi, . . . , m k .({mi, ... , m k }, n) G b A {S^rm) G a,i = 1, . . . , k}. 

i=i 

The Karoubi envelope of this monoid is the category whose objects are idempotents, i.e. 
elements a such that a = a ■ a, and maps / : a — > b are elements of the monoid such 
that f = a ■ f ■ b. Scott shows that this is a cartesian closed category and notes that it is 
equivalent to the category of separable continuous lattices and continuous maps. A similar 
theory yielding a category of epos was developed by Plotkin [18]. In this paper, we will 
show that replacing the finite sets S in the above construction with finite sequences yields 
a category appropriate for modelling imperative computation. 

The monoid in question has as its elements set of pairs (s, n) where s is a finite sequence 
of natural numbers and n is a natural. Multiplication is defined by 

a ■ b = {(si • • • Sfe, n) \ 3mx, ■ ■ • , m k .(m\ ■ ■ ■ ra k , n) G b A (sj, m;) G a, i = 1, . . . , k} 
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where s± ■ ■ - s& denotes the concatenation of the sequences si, . . . , s& and we identify single- 
ton sequences with their unique elements. 

Let us call this monoid A4 and its Karoubi envelope /C(A4). Concretely, the connection 
between M. and Scott's monoid is very straightforward: sequences replace Scott's finite sets, 
and concatenation replaces union. It seems obvious that the move from Scott's construction 
to ours is nothing more than replacing one monad, the monad of finite powerset, with 
another, that of finite sequences, in some formal construction. In fact the situation is not 
quite so straightforward: in order to set things up in an axiomatic fashion, one appears to 
require a distributive law of the monad at hand over the powerset monad. While the monad 
of finite sequences does distribute over V, V^ n does not. This situation has been studied 
by Hyland et al. in [7j, where models along the lines of Scott's are built axiomatically, 
using a Kleisli-category construction. Their work only applies to commutative monads, and 
therefore not to the finite-sequence monad, so is not directly applicable here. Moreover, for 
our purposes neither the category fC(M) nor the kind of Kleisli construction proposed by 
Hyland et al. provides the most convenient setting in which to work. Although our model 
of imperative computation can be seen as living entirely within these categories, we shall 
propose a somewhat different construction which yields additional structure useful in the 
analysis of the model. 

We note also that Longley has recently shown how a similar category, built from an 
untyped graph-style model using the monad of finite multisets, as opposed to finite sets or 
finite sequences, provides a model of fresh name generation [12]. In future work, we plan 
to investigate the relationships between all these models in greater detail, and explore the 
constructions at the higher level of generality proposed by Hyland et al. 

3. Syntactic Control of Interference 

The imperative language we shall model is Reynolds's Syntactic Control of Interference 
(SCI) [20], and this section is devoted to the presentation of its syntax, operational se- 
mantics and notion of program equivalence. The language was introduced by Reynolds as 
an approach to the problem of establishing the non-interference properties of procedures 
and their arguments required by specification logic. Reddy noticed that it was precisely 
this interference- free fragment of an Algol- like language which his model could interpret. 
Later, Reddy and O'Hearn showed that the model could be extended to a full Algol-like 
language by means of the Yoneda embedding [16] . but it was not until the refinement of 
game semantics was discovered that a fully abstract model for such a language became 
available. 

The SCI language consists of a direct combination of the language of while-loops, local 
variable allocation and the simply-typed A-calculus with an affine type discipline. The types 
of SCI are given by the grammar 

A ::= nat I comm I var I A — o A 
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where the base types are those of natural numbers (nat), commands (comm) and assignable 
variables (var). The terms of the language are as follows. 

M ::= n \ M + M \ M-M | ... 

| skip | M ; M \ M := M \ \M 

| while M do M | if zero M then M else M 

| x | Xx A .M | MM 

new x in M 

where n ranges over the natural numbers, x over a countable set of identifiers, and A over 
the types of SCI. We adopt the usual conventions with regard to binding of identifiers: 
Xx A .M binds x in M; terms are identified up to a-equivalence; and M[N/x] denotes the 
capture- avoiding substitution of N for free occurrences of x in M. 

The type system of the language imposes an affine discipline on application: no function 
is allowed to share free identifiers with its arguments. Typing judgments take the form 

xi : Ai,. . . ,x n : A n h M : A 

where the Xi are distinct identifiers, the Ai and A are types, and M is a term. We use T 
and A to range over contexts, that is, lists x± : Ai, . . . , x n : A n of identifier-type pairs with 
all identifiers distinct. The well-typed terms are given by the following inductive definition, 
in which it is assumed that all judgments are well-formed. 
A-calculus: 



x : Ah x : A 
T,x : A\- M : B 
T h \x A .M :A^B 



T h M : A 



B 



Ah N :A 



Structural Rules: 



T, A h MN : B 

r h m 



weakening 

r, x : A h M 

T h M 

exchange 



Arithmetic: 



r h m 

r h M : nat 



T h N : nat 



h n : nat 
Sequential composition: 



T h M N : nat 



e {+,-,...} 



r h M : comm 



r h N : B 



h skip : comm 
Assignable variables: 

T h M : var 



ThM;N:B 



r h N : nat 



B € {comm, nat, var} 



T h M : var 



r h M := TV : comm 



r h ! M : nat 
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Control structures: 

r h M : nat r h N : comm 



r h while M do N : comm 
r h M : nat r h iVi : B r h N 2 : B 



B € {comm, nat, var} 



T h if zero M then iVi else N 2 : B 
Local blocks: 

T, x : var h M : B 

B G {comm, nat} 

____ T h new x in M : B 

In the exchange rule, V denotes any permutation of the list T. In the rule for application, 
the assumption that the conclusion is well-formed implies that V and A contain distinct 
identifiers. This was key to Reynolds's interference control agenda: in the absence of a 
contraction rule, the only source of identifier aliasing in the language is through procedure 
application, so by enforcing the constraint that procedures and their arguments have no 
identifiers in common, one eliminates all aliasing. It then follows that program phrases 
with no common identifiers cannot interfere with one another. 

Note. Our version of SCI allows side-effects at all base types: see the typing rule for se- 
quential composition. We also include a conditional at all base types. Variable allocation, 
however, is restricted to blocks of type comm and nat: terms such as new x in x are not per- 
mitted, because any sensible operational semantics for such terms would violate the stack 
discipline for allocation and deallocation of variables. 

The operational semantics of the language is given in terms of stores, that is, functions 
from identifiers to natural numbers. A store a has as its domain a finite set of identifiers, 
dom (a). Given a store a, we write (a | x i-> n) for the store with domain dom(<r) U {x} 
which maps x to n and is identical to a on other identifiers. Note that this operation may 
extend the domain of a. 

Operational semantic judgments take the form 

Tha,M^a',V:A 

where 

• T is a context containing only var-type identifiers 

• a and a' are stores whose domain is exactly those identifiers in T 

• M and V are terms 

• A is a type 

• rhM :J 4andrhF:i 

• V is a value, that is, a natural number, the constant skip, an identifier (which must have 
type var) or a A-abstraction. 

For the sake of brevity we omit the typing information from the inductive definition below, 
writing judgments of the form a, M JJ- a', V. 
Values and functions: 

a,M ^a',Xx A .M' a', M'[N/x] ij- a", V 

V a value 

a,Vi}.a,V a,MN^a",V 

Operations: 

a,M 1 tya',n 1 a',M 2 ^a",n 2 



a, Mi M 2 JJ, a" , 



n = ni n 2 , G {+, 



n 
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a,N^a',n a',M^a",x a,Mlj,a',x 

a, M := N JJ. (a" \ x^n), skip a,\Mty a', a'{x) 
Control structures: 

a,M ij. a', skip a',Ntj,a",V 

a, M ; N 1}, a" ,V 

a,M JJ. a' n 

; n^O 

a, while M do N JJ. a , skip 

cr,MJjV,0 a',N JjV',skip a", while M do iV JJ- a'", skip 

cr, while M do N JJ. cr"', skip 
a, M Jj a', a', JVi JJ. cr", y 

a, if zero M then Aq else iV 2 JJ. a", V 

a,M^a',n a',N 2 ^a",V 

— n/0 

a, if zero M then Aq else iV 2 JJ- cr", V 

Local blocks: 

(cr | x h-> 0),M JJ. (cr' | x h-> 
a, new x in M JJ- cr', V 

Note that in the rule for local blocks, the well-formedness constraints on the conclusion 
cr, new x in M JJ- a', V mean that the domains of definition of a and cr' are the same, and do 
not include x. Therefore the variable x is only available during the execution of the block 
M. 

We remark that, though the operational semantics takes account of the possibility that 
evaluating a term of function-type could change the store, the fact that all the store-changing 
term constructs are confined to the base types means that this does not happen: whenever 
cr, M JJ. a',V for some M and V of type A — o B, we have a = a' as a straightforward 
induction will establish. 

We now define a notion of contextual equivalence on programs in the usual way: given 
terms r h M, N : A, we say that M and iV are contextually equivalent, and write M = N, 
if and only if for every context C[— ] such that h C[M], C[7V] : B for I? € {comm, nat}, and 
every value \- V : B, 

C[M]^V <=> C[N]$V. 
(We omit the unique store over no variables from the operational semantic judgments.) 

One can also define a contextual preorder: given the same data as above, we write 
M C N iff for all contexts C[— ] and values V, 

C[M] JJ. y => C[iV] JJ. V. 
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4. Reddy's OBJECT-SPACES MODEL 

In this section we give a direct, concrete definition of a semantics for SCI which accords with 
the model given by Reddy [19]. To begin with we define the model without imposing any 
structure on it, simply using sets and relations. Later we go on to construct a category in 
which our modified graph model lives as a monoid of endomorphisms of a particular object, 
and show that the model of SCI inhabits that category. We shall then exploit the structure 
of the category to obtain a clean proof of the model's soundness. However, for pedagogical 
reasons we believe the concrete presentation of the model in this section is worthwhile. In 
particular, for the fragment of the language without abstraction and application, the model 
is very simple and intuitively appealing, and its soundness is easy to establish. 

4.1. A model based on events. The key idea behind Reddy's model is that computations 
are interpreted not as mappings from initial to final states (i.e. state transformers), but using 
sequences of observable events. A program will have as its denotation a set of tuples of such 
sequences. 

A type is interpreted as a set: the set of observable events at that type. We define the 
semantics of types as follows. 

[nat] = N, the set of natural numbers 

[comm] = {*}, a singleton set 

[var] = {read(n), write(n) | n € N} 

{A — o B\ = [A]*x[B] 

where {A} * denotes the set of finite sequences over {Aj . 

The basic event one can observe of a term of type nat is the production of a natural 
number, so N is the interpretation of nat. A closed term of type comm can do nothing 
interesting apart from terminating when executed, so comm is interpreted as a singleton 
set: we will see later that it is the open terms of type comm which behave more like state- 
transformers. At the type var, there are two kinds of event: read(ra) events correspond to 
dereferencing a variable and receiving n as the result, and write(n) events correspond to 
assigning n to the variable, and observing termination of this operation. 

For the function types, the idea is that a single use of a function A —o B will result in 
a single observable output event from B, but may give rise to a sequence of events in the 
argument of type A. Compare and contrast with Scott's Voj model: there functions are 
modelled as sets of pairs (S, n) where S is a set of input-observations and n is an output, 
while here we have sets of pairs (s, n) where the input observations form sequences rather 
than sets. 

The denotation of a term 

x 1 :A 1 ,...,x n :A n hM:B 

will be a set of tuples 

(si, . . . ,s n ,b) 

where each s« € {AiJ* and b £ [JB]. Again the idea is that such a tuple records the ability 
of M to produce observable event b while itself observing the sequences Si of events in (the 
terms bound to) its free identifiers. 
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4.1.1. Remark. Note that, in this model, the observed behaviour in each variable is recorded 
separately; that is, there is no record of how interactions with the various variables are 
interleaved. It is precisely this which means we can only model SCI rather than the full 
Idealized Algol language. The models based on game semantics refine the present model by 
breaking each event into two, a start and a finish, and recording the interleaving between 
actions, thereby overcoming this limitation. 

A little notation must be introduced before we give the definition of the semantics. 
We will abbreviate such tuples s±, . . . , s n as s, and semantic elements as above will become 
(s,b), or simply b when n = 0. We use ss' to denote the componentwise concatenation of 
the tuples of sequences s\, . . . , s n and s^, . . . ,s' n . 

We say that a sequence s G [var]* is a cell-trace iff every read action in s carries the 
same value as the most recent write, if any, and zero if there has been no write yet. (A 
formal definition appears later.) 

We now give the definition of the semantics by induction on the typing derivation of 
terms: for each typing rule, Figure [T] gives an equation which defines the semantics of the 
term in the rule's conclusion by reference to the semantics of the terms in its hypotheses. 

4.2. Examples. 

• Consider the program swap, defined by 

x : var, y : var, z : var h z := ! x ; x := ! y ; y := ! z : comm. 

It is straightforward to compute that [swap] is the set 

{(read(n)write(n'), read(n')write(n"), write(n)read(n"), *) [ n,n',n" € N}. 

The semantic definitions do not yet enforce variabledike behaviour, so that in particular 
n and n" need not be equal. 

However, the semantics of new z in swap selects just those entries in which z behaves 
like a good variable, so that n = n", and then hides the z-behaviour: 

[new z in swap] = {(read(n)write(n'), read(n')write(n), *) | n, n' G N}. 

Thus the values in x and y are swapped, and the semantics does not record anything 
about the use of z or the fact that x was reassigned first. 

• The type comm — o comm has as its elements all pairs of the form 

(#•*■*••• * ; *). 

A deterministic program of this type will contain at most one such element in its denota- 
tion, corresponding to a "for loop" which executes its argument a fixed, finite number of 
times. There is also the empty set, corresponding to a program which never terminates 
regardless of its argument. 
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lx:Ahx:A] = {(a, a) \ a G [A]} 
[Th \x A .M: A^B] = 

{(si, ...,«„, (s, 6)) (si,..., s„, s, 6) G [r, x : A h M : B]} 
[T, A h MN : B] = 

f t - 3ai,...,a fc .(s;(oi...a fc ,6))G [ThM:i-B] 1 
' j A(i*,Oi)e[AI-iV:i4]fori = l,...,fc J 
[T,i:4l-M:B] = {(s, e, 6) | (s, 6) G [r h M : B]} 
[FhM:A] = {(la) | (s,a) G [ThM: A]} 
[h n : nat] = {n} 
[r h Mx M 2 : nat] = 

{(ss',m 1 Qm 2 ) | (s>i) G [r h Mi : nat], (P,m 2 ) G [T h Af 2 : nat]} 
[h skip : comm] = {*} 
[r h M ; N : B] = 

{(ss', b) | (s, *) G [r h M : comm], (P, 6) G [r h JV : B]} 
[r h M := AT] = 
{(ss', *) | (s» G [r h TV : nat], (P, write(n)) G [r h M : var]} 
[r h ! M : nat] = {(s, n) \ (s, read(n)) £ [ThM: var]} 
[r h while M do TV : comm] = 

Vi.(s\0) G [r h M : nat] 
A(t\ *) G [r h iV : comm] 
A3m ^ 0.(s,m) G [r h M : nat] 

[r h if zero M then N x else iV 2 : B] = 

{(st, b) | (s, 0) G [r h M : nat], (f, 6) G [r h JVi : B]} 

U 

{(st, b)\3m^ 0.(s, to) G [r h M : nat], (t, b) G [r h iV 2 : B]} 

tt., ^ D , f^.x 3s.(s,s,6) G [r,x : var h M : B] 1 

[rhnewxxnM:B] = /y s \ s a cell trace. } 

Figure 1: Reddy-style semantics of SCI 

4.3. Soundness for the ground types. We now prove that our model is sound with 
respect to the operational semantics for the fragment of the language excluding abstraction, 
application, and non-base types. We refer to this fragment as bSCI; it is essentially the 
language of while-programs plus block allocated variables. 
First let us introduce a little more notation. 

We define a notion of state transition. Given a sequence s G [var]*, we define the 
transitions 

n — > n 

where n and n' are natural numbers, as follows. 



(sV A 1 . . . sWs, *) 



I rea ^H 

n — > n n — > n 
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n — > n n — > n 



[writefn')] , ; 

n — > n ss i, 

n — > n 

We write n — to mean that n — ^> n' for some n'. We can now give a precise definition of 

S 5 

cell-trace: a sequence s G [var]* is a cell-trace if and only if — >. Note also that n — > if 
and only if write(n)s is a cell-trace. 

We extend this to traces involving more than one var type as follows. Given a context 
X\ : var, . . . , x n : var, an element s = (si, . . . , s n ) G [var]* x • • • x [var]*, and stores a and 
a' in variables x\, . . . , x n , we write 

a — > a 

iff 

a(xi) cr'(xi) 

for each i. 

Definition Say that a term r h M : B, where B is a base type and T contains only 
var-typed variables, is good if and only if: 
Case B = comm: for all stores cr, a' over T, 

a, M a', skip o 3(s, *) G [M].a -A <r' 
Case i? = nat: for all stores <r, a' over T and all n G N, 

a,M^(T',n^ 3(s,n) G [M].cr -A a' 
Case i? = var: T h ! M : nat is good and for all n G N, F h M := n : comm is good. 

Lemma 4.1. AZZ terms Y \- M : B of bSCI, where B is a base type and T contains only 
var-typed variables, are good in the above sense. 

Proof. We proceed by induction on the structure of the term M. For the constants skip 
and n, the result is trivial. For variables x : var, we must show that both ! x and x:=n are 
good. 

Unpacking the definitions, we have 

[!x] = {(e, read(n),e,n) j n G N}. 

e, read(n),e 

But a — V a if and only if a = a and a(x) = n, which holds if and only if 
cr, ! x Jj- a', n. 

For the assignment part, we have 

\x := nj = {(e, write(n), e, *)} 

e*, write (n), e 

and c — >• a if and only if a = (a \ x h-> n), which holds if and only if a, x := n ij. 
a' , skip. 

For while M do N, first note that 

cr, while M do iV JJ- a , skip 

if and only if there are sequences of stores Oi and Tj, for z = 1, . . . ,n, such that a = a±, 
o-' = T n , 

ai,Mi),Ti,0 n, A/"JJ-<r i+ i,skip 
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for % = 1, . . . , n — 1 and 

a n , M ij, r n ,k 

for some k ^ 0. (This can be proved by induction on derivations in the operational semantics 
of while.) 

Therefore, applying the inductive hypothesis to M and N, we have that 

<7, while M do N J| a' , skip 
if and only if there are si,...,s^ and t\, . . . , t n -\ such that 

(40) € [M] (4*) G \N\ 

for i = 1, . . . , n — 1 and 

e [M] 

for some ^ 0, and moreover 



for i = 1, . . . , n — 1 and 
But then we have that 



siii . . . s n —\t n —\s n 

°l > T n 



and 

(slh . . . SnLxtn-is^, *) € [while M do Nj 
by definition. Furthermore, all elements of [while M do TV] with cell-traces in the T part 
are of this form, which establishes the converse. 

The case of if zero M then Ni else N2 is similar to this one, and simpler. 
Consider the case of M := N. By definition of the operational semantics, 

<7,M := iV^cr',skip 

if and only if there are a", cr'", x and n such that 

a,N\la",n a\M^a'\x 

and a' = (a'" \ x 1— Y n). This is the same as saying 

a,Nij.a",n a", M := n J| a', skip. (4.1) 

By the inductive hypothesis, both and M are good, and hence by definition of "good" 
for terms of type var, M := n is good, so ()4. 1[) holds if and only if we have 

0?,n)€[iV] (t, *) € \M := n]. (4.2) 

such that 

s . II 11 t 1 

a — a a — > a . 

By definition of the semantics, 

(i» G [M := nj (f,write(n)) G [Af] 
so (|4.2p holds if and only if 

(st,*) G [M:=iVl. 

The case of ! M follows directly from the inductive hypothesis: since M is good, so is 

\M. 
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Finally we consider new x in M : comm (the nat case is similar). By definition of the 
operational semantics, 

a, new x in M JJ- a , skip 

iff 

(cr | x 0), M JJ- (cr' | x (->• n), skip. 
By the inductive hypothesis, this is possible if and only if there is some (s, s', *) € [M] with 

cr — ► o" U — > n. 

The second condition above is the definition of s' being a cell-trace, so this holds if and only 
if (s, *) £ [new x in M] as required. □ 

The fact that all terms are good gives us the following soundness result for bSCI. 

Corollary 4.2. For any closed term h M : B of bSCI, where B is comm or nat, M JJ- V if 
and only if \M\ = [V\. □ 



5. A CATEGORY OF MONOIDS AND RELATIONS 

Before going on to establish the soundness of Reddy's model for the whole of SCI, we shall 
develop a categorical setting for the model, based on monoids and relations. Our monoid 
A4 appears as the monoid of endomorphisms of an object in this category, so the retracts 
of this object all live in the category K{M). It happens that all the objects we use to 
interpret types of SCI are indeed retracts of this object, so the graph construction does 
indeed yield a category suitable for modelling imperative computation. Nevertheless it is 
useful to describe the larger category. Not only is its construction straightforward, but also 
it possesses some structure beyond that of K(M) which makes the description of Reddy's 
model more straightforward, and allows the soundness result above to be extended to the 
whole language using algebraic reasoning. 

We believe that there is a more general description of these constructions to be found, 
perhaps extending the work of [7j; but we leave this for future work. 

To build our category, we will be making use of the category Mon of monoids and ho- 
momorphisms, and exploiting the product, coproduct and powerset operations on monoids, 
and the notion of the free monoid over a set. For the sake of completeness, we review these 
constructions here. 

First some notation. For a monoid A, we use to denote the identity element, and 
write monoid multiplication as concatenation, or occasionally using the symbol -a- The 
underlying set of the monoid A is written as U A. 

5.0.1. Free monoids. Recall that for any set A, the free monoid over A is given by A*, the 
monoid of strings over A, also known as the Kleene monoid over A. The operation taking 
A to A* is left-adjoint to the forgetful functor U : Mon — > Set. 
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5.0.2. Products. The category Mon has products. The product of monoids A and B is a 
monoid with underlying set UA xUB, the Cartesian product of sets. The monoid operation 
is defined by 

(a, b)(a' , b') = (a -a a', b -b b'). 
The identity element is (e^es). Projection and pairing maps in Mon are given by the 
corresponding maps on the underlying sets. The terminal object is the one-element monoid. 
The construction given above generalizes to give all small products. 

5.0.3. Coproducts. The category Mon also has finite coproducts. These are slightly awk- 
ward to define in general, and since we will not be making use of the general construction, 
we omit it here. 

The special case of the coproduct of two free monoids is easy to define. Since the 
operation of building a free monoid from a set is left adjoint to the forgetful functor U, it 
preserves colimits and in particular coproducts. For sets A and B, the coproduct monoid 
A* + B* is therefore given by (A + B)*, the monoid of strings over the disjoint union of A 
and B. 

The initial object is the one-element monoid. 

5.0. 4. Powerset. The familiar powerset construction on Set lifts to Mon and retains much 
of its structure. Given a monoid A, define the monoid VA as follows. Its underlying set is 
the powerset of UA, that is, the set of subsets of UA. Monoid multiplication is defined by 

ST = {x -a y | x e S, y e T} 

and the identity is the singleton set {e^}. 

We will make use of the Kleisli category Monp. This category can be defined concretely 
as follows. Its objects are monoids, and a map from A to B is a monoid homomorphism 
from A to VB. The identity on A is the singleton map which takes each a £ A to {a}. 
Morphisms are composed as follows: given maps / : A — )• B and g : B — > C, the composite 
/ ; g : A — > C is defined by 

(f;g)(a) = {c\lbef(a).ceg(b)}. 

The fact that powerset is a commutative monad on Mon means that the product 
structure on Mon lifts to a monoidal structure on Mon-p as follows. We define A <8> B to 
be the monoid Ax B. For the functorial action, we make use of the double strength map 

9 a ,b :VAxVB — > V(A x B) 

defined by 

e AB (S,T) = {(x,y) \ xeS,yeT}. 
This is a homomorphism of monoids. With this in place, given maps / : A —> B and 
g : C — > D in Mon-p, we can define / (g) g : A ® C — > B <g> D as the homomorphism 
/ x g ; Qb,d- See for example [8] for more details on this construction. 

5.1. The category. The category we will use to model SCI is (Monp) op . This category 
can be seen as a category of "monoids and relations" of a certain kind, so we will call it 
MonRel. 

We now briefly explore some of the structure that MonRel possesses. 
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5.1.1. Monoidal structure. The monoidal structure on Monp described above is directly 
inherited by MonRel. Furthermore, since the unit / of the monoidal structure is given 
by the one-element monoid, which is also an initial object in Mon, / is in fact a terminal 
object in MonRel, so the category has an affine structure. An important consequence of 
this is that projections exist: for any A\, . . . , A n there are canonical maps 

■Ki : A! <g> ■ ■ ■ <g) A n Ai. 

5.1.2. Exponentials. Let A and B be any monoids, and C* be the free monoid over some 
set C. Consider the following sequence of natural isomorphisms and definitional equalities. 

MonRel (.4 <g> £, C*) 

= Mon(C*,V(Ax B)) 

Set(C,UV(A x B)) 

Rel(C, UA x UB) 

Hel(UB x C, UA) 

Similarly we can show that 

Hel(UB x C, UA) MonRel(A, (UB x C)*). 

The exponential B — o C* is therefore given by x C)*. It is important to note that the 
free monoids are closed under this operation, so that we can form A\ — o (A2 — ° . . . (A n — o 
C*)) for any A±, . . . , J 4 ra . That is to say, the free monoids form an exponential ideal in 
MonRel. 

Given a map / : A B — > C* in MonRel, we write A(/) for the curried map A — > 
(B C*). The counit of the adjunction is written 

ev : (B -o C*) ® B -»• C*. 

5.1.3. Products. The coproduct in Mon is inherited by the Kleisli-category Mon-p, and 
since MonRel is the opposite of this category, MonRel has products. 

5.1.4. An alternative characterization. We can also describe the category MonRel con- 
cretely, as follows. Objects are monoids, and maps A — > B are relations R between (the 
underlying sets of) A and B, with the following properties: 

homomorphism: caR&b, and if a\Rb\ and 02^62, then a^Rb^ 
identity reflection: if aRes then a = e\ 

decomposition]: if aRb\b2 then there exist 01,02 € A such that Oji?fej for i = 1,2 and 
a = ai<22. 

Identities and composition are as usual for relations. Note that the property of "identity 
reflection" is merely the miliary case of the property of "decomposition". 

It is routine to show that this definition yields a category isomorphic to (Monp) op . 
The action of the isomorphism is as follows. Given a map A — > B in (Monp) op , that is to 
say, a homomorphism 

/ : B — > V(A) 

we can define a relation Rf between A and B as the set of pairs {(a, 6) [ a € /(&)}■ 
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5.1.5. Recovering the monoid A4. We remark that the monoid of endomorphisms of the 
object uj*, the monoid of sequences of natural numbers, is exactly the monoid Ai of Section[2j 
A map uj* — > uj* consists of a monoid homomorphism uj* — > Vui* which is the same as an 
ordinary function uj — > Vui* . Reversing the arrows and using the characterization of Rel as 
the Kleisli-category for V on Set, this is just a subset of uj* x uj, and it is routine to check 
that the composition of these sets is as described in Section [2j 

It follows that the full subcategory of MonRel consisting of objects which are retracts 
of uj* can also be seen a subcategory of the Karoubi envelope /C(7W), and it will turn out 
that all the types of SCI are modelled using objects of this subcategory. Just as Scott used 
the Karoubi envelope of Vuj as a category for giving semantics, we can use /C(A4). However, 
MonRel proves to be a more convenient category, because it possesses additional objects, 
in particular tensor products such as ui* ®uj*, which assist in the description and analysis 
of our model but do not belong to /C(A4). 

It is perhaps worth remarking that Reddy's original work struggled to find a satisfying 
categorical setting for the model, resorting to the use of multicategories in the absence of 
objects such as ui* ®ui*. We believe our new categorical setting paints a more convincing 
picture. 

5.2. Modelling SCI in MonRel. We now show how Reddy's model of SCI lives in 
MonRel. Types are interpreted as objects of the category, that is, as monoids. Indeed 
every type is interpreted as the free monoid over the set which we used for the direct pre- 
sentation of the semantics given above. Formally we can give an inductive definition of the 
semantics of types as follows. 

[comm] = 1* 

[nat] = N* 

[var] = [comm] w x [nat] 

\A — o Bj = {Aj^lBj. 

For the definition of \A — o BJ to make sense it is essential that every [i?] is a free monoid. 
This is clear for the base types comm and nat. Recalling that products in MonRel come 
from coproducts in Mon, and that the coproduct of free monoids is again a free monoid, 
we see that [var] is a free monoid, and therefore by induction every types is interpreted as 
the free monoid over some alphabet. 

Let us write aA for the underlying alphabet of {AJ, and verify that for every type A, 
olA is the set that was used in the direct presentation of the semantics above. 

For comm and nat, this is clear. To see that the same holds for var, recall that products 
in MonRel come from coproducts in Mon, which for free monoids are given by disjoint 
union of alphabets. So 



avar = 




The single element of the nth summand of the left component corresponds to write(n), and 
the element n of the right component corresponds to read(n); indeed we will continue to 
use this notation below. Our reason for giving the semantic definition in the above form 
will become clear when we come to the semantics of assignment and dereferencing. 
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Finally, by the definition of exponential, 

a(A —oB) = (aA)* x aB 

which agrees with our previous definition. 

For the semantics of terms, we exploit the categorical structure of MonRel: the A- 
calculus part is interpreted using the monoidal and exponential structure of the category, 
while the constants are interpreted by defining particular maps in the category, making use 
of products for those constants which allow their operands to share variables. 

A term x\ : Ai, . . . , x n : A n h M : B is interpreted as a map 

\M\:{A 1 \®---®{A n }^\Bl 

(If r is the context x\ : Ai, . . . , x n : A n we will often abbreviate the object [Ai] ® • • • ® [-An] 
as [r]). Unpacking definitions, such a map is a homomorphism 

m ^V(lA 1 }x...xlA n j). 

Since all types are interpreted as free monoids, this is the same as an ordinary function 

aB -> V{{aA-i)* x • • • x (aA n )*) 

which in turn corresponds to a subset of 

(aAi)* x • • • x (aA n )* x aB. 

Under this representation, the denotations of terms in MonRel have the same form as 
those in the direct presentation, and we will use the "sets of tuples" when we need to define 
morphisms explicitly. 

A variable is interpreted as the identity map: 

[x:Ahx:A] = id:[A]^[A]. 

Weakening is interepreted using projections: if 

[r h M :£?] = /: jr] —>■ \B\ 

then 

{T,x:AhM:B}=TT;f 

where n : [r] ® [A] — >• [r] is a projection map. 

Exchange is interpreted using the symmetry isomorphisms: for any permutation on a 
context taking r to T there is a corresponding isomorphism symm : [r] — > [r], and then 

[f h M : A] = symm ; {T h M : A]. 

Abstraction is interpreted using the currying part of the exponential adjunction: if 

\T,x : Ah M : B\ = f :\T\®lA\^iB\ 

then 

[r h \x A .M :A^B\= A(/) : [T] -> [A] - \B\. 

Application is interpreted using ev: 

[MiV] = [M] ® [TV] ; ev. 

It is straightforward to check that these definitions agree with the concrete ones given 
earlier. 



18 



GUY MCCUSKER 



To interpret the basic imperative constructs, we define a collection of maps in the 
category. For instance, to interpret while M do N we use a map 

w : [nat] x [comm] — > [comm] 

which we will define below, and set 

[while M do Nj = ([Ml, {N}) ; w. 

The object [nat] x [comm] is the free monoid over the alphabet N U {*}. We can therefore 
define w as the set of tuples 

w = {(0 * * • • • * n, *) | n ^ 0}. 

Maps interpreting if zero M then N\ else JV2, ! M and M := N can be defined similarly 
and all yield interpretations which agree with the direct one. However, for assignment and 
dereferencing, the definition of [var] as [comm] 1 ^ x [nat] suggests a more abstract definition 
using projections: there are projections 

assign (n) : [var] — > [comm] 

for each n, and 

deref : [var] -> [nat] 

and these are indeed the maps we need. Thus our interpretation of var has the kind of 
"object oriented" flavour advocated by Reynolds: a variable is an object with w-many 
write-methods and a read-method, and its semantics is given by the product of these. 
Finally the semantics of new is given by means of maps of type 

[var — o comm] — > [comm] and [var — o nat] — > [nat] 

defined by the sets 

{((s, *), *) I s is a cell trace} 

and 

{((s, n), n) I n G N, s is a cell trace} 

respectively. 

5.3. Soundness of the model of SCI. We can now show that our model is sound for the 
whole of SCI, extending the result of Section 14.31 

First a standard lemma which says that substitution is modelled by composition in the 
category. 

Lemma 5.1 (Substitution). IfT,x:A\~M:B and A\- N : A are terms of SCI, then so 
is T, A h M[N/x] : B, and furthermore {M[N/x]j = idpj <g> {Nj; [M]. □ 

With this in place it is standard that /3-reduction is soundly modelled, because of the 
naturality of currying. 



Lemma 5.2. If T, x : A h M : B and A h N : A, then [(Ax.M)iV] = [M[JV/a?]]. □ 
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Both of these Lemmas are proved by a straightforward induction on the structure of 
terms. They hold for standard reasons, because we are working in a symmetric monoidal 
category and using exponentials to model function spaces. We can now establish soundness 
for our model using purely algebraic reasoning: the fact that there is no recursion in the 
language makes this particularly straightforward. The key is to establish that every ground- 
type term of the full language has the same behaviour as a term of bSCI; a property that 
is captured by the following definition. 

Definition Let r h M : A be a term of SCI, where T contains only var-typed variables. 
We say that M is bSCI-expressive iff: 

• A is a ground type and there exists a term r h M' : A of bSCI such that {Mj = {M'j 
and for all stores a and values V \- V : A 

a,Mi).a',V <=> a,M'tya',V 

or 

• A = Ai — o A2 is a function type and for all bSCI-expressive terms A h N : A±, T, A h 
MN : A2 is bSCI-expressive. 

Note that the first case above implies that all ground-type terms of bSCI with only var- 
typed free variables are automatically bSCI-expressive. 

Lemma 5.3. Let x\ : Ai, . . . , x n : A n h M : A be any term of SCI, and let Fi h iVj : Ai be 
bSCI-expressive terms. Then M[Ni/xi\ is bSCI-expressive. 

Proof. By induction on the structure of M. 
Variables: this case is trivial. 

Constants: trivial since constant terms are themselves bSCI-terms. 

Term formers of bSCI: for terms such as while M\ do M2, we must prove that 
while Mi[N/x] do M 2 [N/x] is bSCI-expressive. 

The subterms Mi[N/x] are bSCI-expressive by inductive hypothesis, and hence there 
are terms M{ and M' 2 of bSCI such that 

[M/] = {MiiN/x}} 

for i = 1,2, and for all stores a and values V, 

a,M^a',V a,Mi[N/x]i^a',V. 

By the definition of the operational semantics it follows that 

cr, while M[ do M' 2 JJ. a', V 

if and only if 

a, while Mi [N/x] do M 2 [N/x] J| a', V. 
By the compositionality of the denotational semantics, 

[while M[ do M' 2 \ = [while M^N/x] do M 2 [N/x]j 

and hence while Mi[7V/x] do M 2 [N /x] is bSCI-expressive, as required. 

The cases of other term-formers which are included in bSCI, such as if and new, are 
similar. 
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Abstraction: For a term Xx.M, we must prove that Xx.M[N/x] is bSCI-expressive. Let 
us write M' for M[N/x]. By the definition of bSCI-expressive, we must show that 
for all bSCI-expressive terms P%, . . . , P k such that {Xx.M')P\ . . . Pk is of ground type, 
(Xx.M')Pi . . . Pk is bSCI-expressive. 

By the inductive hypothesis, M'[N/x] is bSCI-expressive whenever N is. Hence by 
definition of bSCI-expressivity, M'[P\/x]P 2 ... is bSCI-expressive whenever the Pi are. 
Therefore there is a term M" of bSCI such that {M"J = {M'[P 1 /x]P 2 . . . P k j and for all 
stores a and values V, 

a,M"i^a',V <=► (j,M'[P l /x]P 2 ...P k \yo',V. 

But by soundness of /3-reduction, 

[(Ax.M')Pi . . . P k j = \M'[P 1 /x}P 2 ...P k j = \M"l 

This is to say that (Xx.M')Pi . . . P k is bSCI-expressive whenever the Pi are, so Xx.M' is 
b S Cl-expr essive . 

Application: For a term M\M 2 , we must show that M±[N / x]M 2 [N / x] is bSCI-expressive. 
But by inductive hypothesis, 

M t [N/x] 

is bSCI-expressive for i = 1, 2 and the result follows by definition of bSCI-expressivity at 
function types. 

□ 

Lemma 5.4. For any closed term M of type nat or comm, M ^yV iff [M] = [V]. 

Proof. By Lemma 15.31 M is bSCI-expressive and hence there is a term M' of bSCI such 
that [Mj = {M'j and M JJ, V if and only if M' JJ, V. By the soundness for bSCI-terms, 
Corollary M' Jj. V if and only if {M'j = {Vj, and the result follows. □ 

Theorem 5.5 (Equational Soundness). IfT\- M,N : A are terms such that [M] = [A^], 
then M and N are contextually equivalent. 

Proof. Since the semantics is compositional, for any context C[— ], we have [C[M]] = 
\C[N]\. By Lemma El C[M] ^ V iff [C[M]] = [Vj iff [C[iV]] = [^1 iff C[N] ^ V as 
required. □ 



6. TWO EXTENSIONS TO THE LANGUAGE 

In the next section it will be useful to consider a version of SCI extended with two new 
constructs: erratic choice and a "bad variable" constructor. It will turn out that in a 
certain sense these extensions add no new expressive power — in technical parlance, they 
are conservative extensions — but they do alter the character of the language at an intuitive 
level, and allow new programs to be written. More importantly for our purposes, they give 
rise to the presence of a universal type in the language. 
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6.1. Erratic choice. There are several ways to add an erratic choice operation to the 
language. As long as we are interested only in the "may-converge" version of the JJ. predicate, 
recording what values are possible as the result of a computation without making any 
guarantee of termination, the simplest form of erratic choice is a random number generator. 

We add to the language a constant random, with typing rule 

r h random : nat 

and operational semantics 

a, random JJ, a, n 

for any n. 

The denotational semantics of random in our model is 

[r h random : nat] = {(e, n) \ n € N}. 

6.1.1. Remark. Note that if we were to treat the must-converge predicate, this unbounded 
nondeterminism would be very different from finite nondeterminism, and would lead to some 
technical difficulties in the semantics, cf. [3]. However, for may-convergence, adding random 
to the language is equivalent to adding a mere binary nondeterministic choice operator. 

6.2. Bad variable constructor. We alluded earlier to the "object-oriented" nature of 
our denotational semantics of the var type: var is seen as the product of countably many 
assignment methods of type comm and a dereferencing method of type nat. We can import 
this reading of the var type into the syntax of the language by means of a bad-variable 
constructor mkvar, as follows. 

The typing rule is 

r h M : nat -o comm T h N : nat 

r h mkvar M N : var 
For operational semantics, there are three rules: 

cr, mkvar M N Jj a, mkvar M N 
a, N Jj a', n </ , M JJ a", mkvar Mi M 2 cr", Mm JJ- cr'", V 

a,M:=Ntya'",V 
a, M JJ. cr', mkvar Mi M 2 cr', M 2 JJ- cr", V 

a,\Mi).a",V 

The idea is that mkvar M N is a variable for which the assignment methods are given 
by the Mn and the dereferencing method is given by N. Thus any genuine variable x is 
equivalent to 

mkvar (Xn.x := n) (! x) 

but many other kinds of variable are available, some with very un- variable-like behaviour, 
such as 

mkvar (An. skip) (3) 
which always gives 3 when dereferenced. 

The denotational semantics of mkvar is as follows. 

[mkvar M Nj = {(s, write(n)) | (s, *) G [Mn]} U {(s, read(re)) | (s,n) G {Nj} 
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A somewhat more abstract presentation can be given. First note that the denotations of 
terms 

/ : nat — o comm h fn : comm 
for each n give us w-many maps [nat — o comm] — > [comm] and thus a map 

flatten : [nat — o comm] — > [comm] w 
which "flattens" a function into a tuple. Since [var] = [comm] w x [nat] we can then define 

[mkvar M Nj = ([M]; flatten, {NJ). 

6.2.1. Remark. One might argue that the mkvar constructor is unnatural from a program- 
mer's point of view. However, the ability to define one's own assignment and dereferencing 
operators is a useful programming technique which is frequently exploited in languages such 
as Ruby, for example [5]. This constructor appears in the syntax of most Algol-like lan- 
guages which have been studied in the theoretical literature, and is available in most models 
of such languages too. Our result, to follow, which shows that mkvar is a conservative ex- 
tension of SCI is therefore somewhat comforting; moreover this result can be extended to 
full Idealized Algol, arguing via a game-based model j!4j . 

6.2.2. Terminology. We shall refer to the language SCI extended with mkvar as SCI m ^. 
The relation of contextual equivalence for this language, defined in the same way as for 
SCI, will be denoted = m k. Note that this relation may distinguish more terms of the pure 
SCI language than does =, because contexts may now make use of mkvar; in fact we shall 
see later that this is not the case, so that mkvar is a conservative extension of the language. 
Similarly, the language extended with both mkvar and random will be called SCI m ^ ran and 
its notion of contextual equivalence will be written = m k, r an- 

6.3. Soundness. We now show that the model of the extended language SCImk trim is sound. 
The proof is a straightforward extension of the arguments used to establish Lemma [5. 41 For 
the sake of completeness (of the paper, not the model!) we give the formulation here. 

Definition A term x\ : var, . . . , x n : var h M : A of SCI m ^ rail is good iff 

• A is comm and for all a, a' , 

cr,MJ|cr',skip 

if and only if 

3(s,*) G \M\.a^a'. 

• A is nat and for all a, a' , n, 
if and only if 

3(s,n) € 

• A is var and for all n, M := n is good and ! M is good. 

• A is A\ — o A 2 and for all good N : A 1 , MN : A 2 is good. 

Lemma 6.1. For any term x\ : A\, . . . , x n : A n h M : B of SCI m ^ ran , if Tj h Mj : A4 are 
good terms for i = 1, . . . , n, with the Tj disjoint, then T\, . . . , T n h M[Mi/xi] : B is good. 
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Proof. By induction on the structure of M. We treat only the cases of random and mkvar; 
the arguments for the others are as in the proofs of Lemmas 14.11 and 15,31 
For random, the operational semantics says that 

tr, random JJ, <r, n 

for any tr and n. But a — —> a and 

(e, n) G [random] 

by definition. Conversely, if a a' then tr = a' , so both directions of the required 
implication hold. 

For mkvar, we shall show that if M : nat — o comm and JV : nat are good, then so is 
mkvar M JV. 

We must show that (mkvar M JV) : = n and ! (mkvar M JV) are good. By the definition 
of the operational semantics, 

tr, (mkvar M JV) : = n\ya' , skip 

if and only if 

a, Mn JJ, a', skip. 
Since M and n are good, this happens if and only if 

3(s» G {Mnj.a A a'. 
By definition of the semantics of mkvar, this holds iff 

3(s,write(n)) G [mkvar M JVj.tr -A tr' 

which in turn holds iff 

3(s, *) G [(mkvar M JV) := nj.tr -A tr' 

by definition of the semantics of assignment, which completes the argument. The case for 
dereferencing is proved similarly. □ 

Corollary 6.2. For any closed term M of SCI m ^ ran having type comm, MJ^skip * G [MJ, 
and for any closed term M of type nat, M JJ, n 44> n G [MJ. □ 

Note that the statement of this result is a little different from the analogous result for 
SCI, Corollary 14.21 because of the nondeterminism in the language. 

Just as before, this result is enough to allow us to establish the soundness of our model. 

Theorem 6.3. If M and N are terms of SCI m ^ ran of the same type and [MJ = [JVJ, then 
M %,„, r „ :i JV. 

Another simple corollary will prove useful for us later. 

Corollary 6.4. If M and JV are closed terms of SCI m k ran of type nat, then M = m kran 
JV [MJ = [JVJ. 

Proof. The right-to-left implication is Theorem 16.31 Left-to-right holds because if M and 
JV are equivalent, then M JJ, n if and only if JV JJ. n for any n, so by Corollary 16.21 n G [MJ 
if and only if n G [JVJ, that is, [MJ = [JVJ. □ 
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7. A UNIVERSAL TYPE AND FULL ABSTRACTION 

We begin this section with the observation that every type-object [^4] in MonRel is a 
retract of [nat], confirming our claim that the Karoubi envelope of the monoid M is an 
appropriate setting for modelling imperative computation. 

This would be little more than an intriguing observation but for the fact that the maps 
involved in the retractions are definable by terms of 5C/nik,ran- Thus, not only is [nat] a 
universal object for the category of type-objects in MonRel, but also nat is a universal 
type in the language. This gives rise to a very simple proof of the full abstraction of the 
model of SCI^ <rsa . We then show that this result restricts to the smaller language SCI by 
demonstrating that SCI m ^ :Tan extends SCI conservatively. 

Lemma 7.1. Let A be any countable set. The monoid A* is a retract of [nat] = uj* in 
MonRel. 

Proof. Let / : A — >■ uj be any injective function. We define maps 

in : A* -> uj* out : uj* ->■ A* 

in MonRel by the relations 

in = {{a 1 ---a k ,f(a 1 )---f(a k ))\a 1 ,...,a k eA} 

out = {(/(«i) • • • f( a k), a!---a k ) \ai,...,a k e A} 

It is immediately clear that these are well-defined maps in MonRel and that in; out = id. □ 

Since every type object [^4] is a list-monoid over a countable set, every type-object is 
a retract of [nat] . 

We should remark, however, that not every object used to define the semantics of SCI 
is a retract of [nat]. For example one can show that the object [nat] (g) [nat] does not 
have this property. The category MonRel therefore possesses some advantages over the 
category JC{M). 

We can go further in our description of type-objects as retracts of [nat]: the retractions 
at hand are denotations of terms of SCI^ Ttta . 

Definition A type A of SCI is a definable retract of nat iff there are maps in : \A\ — > uj* 
and out : uj* — > {AJ in MonRel such that in; out = id^j and furthermore there are terms 
x : A h in : nat and y : nat h out : A of SCI m ^ Tan such that [in] = in and [out] = out. 

Theorem 7.2. Every type of SCI is a definable retract of nat. 

Proof. By induction on the structure of types. We shall give particular definable retractions 
for the types nat, comm, var and nat — o nat. The case of a more general function type 
A — o B is then handled inductively, by defining 

x : A — o B h iriA-^B '■ nat = in nat ^ nat (An : nat.in B (x(outyi(n)))) : nat 

y : nat h out A ^ B — Aa : ^.out B (out nat ^ Jnat (y)(in J 4(a))) : A — o B. 

The identity maps clearly make nat a definable retract of itself. For the type comm, we 
define 

x : comm h in comm : nat = x; 
y : nat h out comm : comm = if zero y then skip else 
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where f2 is any nonterminating program. It is trivial to verify that these terms have the 
required property. 

For the type var, we make use of nondeterminism. We are going to encode the action 
of reading a value n from a variable as the number 2n, and writing n to a variable as 2n + 1 
(any effective encoding of a disjoint sum of naturals would do, of course). The in term 
randomly assigns to or dereferences from the variable x, and then returns the encoding of 
what it has done: 

x : var h in var : nat = new r := random in if zero r then 2(!x) 

else (x := r — 1); 2r — 1. 

The semantics of in var therefore consists of all pairs of the forms 

([read(n)],2n) and ([write(ra)], 2n + 1). 

The out term makes use of mkvar to create a variable. Both the reading and writing 
parts of this variable evaluate the natural number y once. If y is of the form 2n, then the 
variable allows n to be read from it; if on the other hand y is 2n + 1, then the variable 
allows n to be written to it. No other actions are possible. 

y : nat h out var : var = mkvar (An : nat. if y = 2n + 1 then skip else $7) 

(new z := y in if even(b) then \z/2 else Q). 

The semantics of this term therefore consists of all pairs of the forms 

([2ra], read(n)) and ([2n + 1], write(n)) 

thus giving the required retraction. 

Finally for nat — o nat, the term in supplies the function with a randomly generated 
sequence of inputs, s, observes the output, n, and returns an encoding of the pair (s, n) as a 
natural number. Compare this with the code(— ) function used to embed [Poo — » Voj] in Vio 
in Scott's model. To ease the notation we use a liberal dose of syntactic sugar. We assume 
that an encoding of sequences of natural numbers as naturals exists, and suppress mention of 
it, so it appears that the variable s in the term below is used to store finite sequences directly. 
We write e for the encoding of the empty sequence, [n] for the encoding of the singleton 
sequence containing the element n, and • for the encoding of concatenation. If n is a number 
encoding a sequence s, \n\ denotes the length of sequence s and n» denoting the ith element 
of s. We also use pair notation (s, n) for the encoding of this pair as a natural number, and 
f st and snd to compute the projections from such encoded pairs. Finally we allow multiple 
variables to be allocated and initialized at once, so that new s := e; x := in M means 
new s in new x in s := e; x := 0; M. With these abbreviations at our disposal, in nat ^, nat is 
defined as follows. 

/ : nat — o nat h in nat ^ nat = new s := e; x := in 

x := /(new r := random in (s : = !s • [!r]); !r); 
(!s,!x). 

Finally for out nat ^ nat , we take the value y : nat, decode it as a pair (s,n), and return a 
function which can return n on observation of the input sequence s, but can do nothing 
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else. 

y : nat h out nat ^ nat = Az nat .new y' := y;z' := z; s := fst(!y');n := snd(!y');x := in 

while \x < \\s\ do 

if \z[ = \s\ x then x :=\x + 1 else 0; 

In 

□ 

These definable retractions allow us to prove full abstraction for SCI m -^ Tan in a very 
straightforward fashion. 

Theorem 7.3. The model of SCI mktran in MonRel is fully abstract. That is, for any closed 
terms M and N of the same type, [M] = [iV] if and only if M =mk,ran N. 

Proof. The left-to-right implication is Theorem 16.31 For the right-to-left, suppose M and 
./V are equivalent terms. Then by definition of equivalence, we also have 

in[M/x) ^ mk , ran in[N/x]. 

These are closed terms of type nat, so by Corollary I6.4[ [in[M/x]] = [in[iV/x]]. By 
compositionality of the semantics it follows that [out[in[M/x]/y]] = [out[in[iV/x]/y]J. But 
[out[in[M/rr]/y]J = [M]; [in]; [out] and similarly for N, so we conclude that [M] = {Nj 
as required. □ 



8. A MODEL WITHOUT NONDETERMINISM 

We have established full abstraction of our model of SCI m ^ T3Il , which admits both the mkvar 
construct and nondeterminism. Before embarking on our proof that these additional con- 
structs do not change the notion of equivalence in SCI, we first develop a more constrained 
model in which random cannot be interpreted. 

Reddy's original object-spaces model did not admit the nondeterministic construct 
random. We use some of Reddy's ideas to construct a variant of the category MonRel which 
contains the same model of SCI m ^ but, like Reddy's category, contains no nondeterministic 
elements. The idea is to introduce a relation of coherence, in the style of Girard's coherence 
spaces [6]. 

Definition Given a monoid A, a coherence relation ^ on A is a symmetric reflexive binary 
relation on the underlying set of A such that 
prefix closure: if a\a2 ^x a 2 then a\ a' x 
extension: if aa\ ^ aa2 then a\ ^02- 

A useful intution is that elements a and a' are coherent, a ^ a', if they can coexist as 
possible observations to be made of a single deterministic computation at the same state. 
So, for instance, distinct natural numbers n and n' will not be coherent in the denotation 
of nat, but write(n) and write(n') will be coherent in var because a variable may allow any 
value to be written to it. 

Definition The category MonRelCoh is defined as follows. Objects are pairs (A, <~^) 
consisting of a monoid A together with a coherence relation on A, and maps from (A, ^a) 
to (B, <~^b) are relations R such that R is a map from A to B in MonRel and furthermore 
• if a s-^a o'j a Rb and a' Rb' then b -~-b b' 
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• if a a! , aRb and a'Rb then a = a' . 
Composition is the usual composition of relations. 

Lemma 8.1. MonRelCoh is a category. 

Proof. It is clear that the identity relations are valid maps in MonRelCoh so we just need 
to show that composition preserves the two new constraints on maps. Let R : A — > B and 
S : B — > C be maps in MonRelCoh. Suppose a a! and that aR; Sc and a'R; Sc' . Then 
there exist b,b' G B such that aRb, bSc, a'Rb' and b'Sc'. Since a ^a a! we have b b' 
and hence c c' as required. Now suppose c = c'; we shall show that o = a'. Since 5 is 
a valid map, we have b = b' and then since -R is valid, a = a' . Hence R; S is a valid map in 
MonRelCoh. □ 

The following definition is due to Reddy [19J. 

Definition Given a set A and a symmetric reflexive binary relation -~-a on A, we define 
an object of MonRelCoh called the object-space over A consisting of the free monoid over 
A with coherence relation defined by: 

a\ . . . a m a 1 . . . a n 

if and only if 

Vz € {1, . . . min(m, n) — l}.ai . . . aj = . . . % => o^+i -—a 

That is to say, two sequences are coherent if either one is a prefix of the other, or at the 
first place they differ, the two differing elements are coherent. 

Lemma 8.2. Let (A, ^) be a set with a coherence relation, and let A* be the object-space 
over this structure. Let B be any object of MonRelCoh. Let R be a relation from UB to 
A such that if bRa and b'Ra' with b ^b' then a ^ a' and if a = a' then b = b' . Then there 
is a unique map in MonRelCoh from B to A* which extends R; by abuse of notation we 
also write R for this relation. 

Proof. The unique candidate for this map is the extension of R to a map B to A* in 
MonRel, exploiting the fact that A* is the free monoid over A. We just need to show that 
it is a valid map in MonRelCoh. 

We first show that if b b' with bRa\ ■ ■ ■ a n and b'Ra' x ■ ■ ■ a' n , then a% • • • a n ^ a' x ■ • • a' n , . 
This requires demonstrating that at the first i such that aj 7^ a-, we have dj a' i: if such 
an i exists. We proceed by induction on the minimum of n, n'. In the base case there is 
nothing to prove, so suppose both n and n' are non-zero. 

By the decomposition property, we can find 61, . . . , b n such that b = b\ ■ ■ - b n and each 
biRai, and similarly for b' and the a[. By the prefix-closure property in B, b\ ^ b± and 
hence a\ a[. Thus if a\ 7^ a[, we are done. Otherwise, a\ = a[ implies that b\ = b' x and 
then by the extension property of coherence in B, we have 62 • • • b n b' 2 ■ ■ ■ b' , and of course 
62 • • • b n Ra2 ■ ■ ■ a n and similarly for the b\ and a\. Then the inductive hypothesis gives us 
the result we require. 

We now show that if additionally a\ ■ ■ ■ a n = a[ ■ ■ ■ a', then b = b' , again by induction 
on n (which is equal to n'). The base case is guaranteed by the identity reflection property 
of maps in MonRel. In the inductive step, we again decompose b and b' as above, and note 
that since a\ = a[ we have b\ = b\. Then we also have 62 • • • b n Ra2 ■ ■ ■ a n and similarly for 
the b\, and conclude by the inductive hypothesis. □ 



28 



GUY MCCUSKER 



The product, tensor and exponential constructions in MonRel all lift to MonRelCoh. 
This can be expressed as follows. 

Lemma 8.3. MonRelCoh is a symmetric monoidal category with products, and the 
object-spaces form an exponential ideal in MonRelCoh. Moreover the forgetful functor 
to MonRel preserves all this structure on the nose. 

Proof. We just need to define the coherence-relation parts of the various constructions and 
show that they are well-defined and have the appropriate properties. 
For the monoidal structure, coherence is defined pointwise: 

(a,b) *~^a®b (a',b') a^ A a,b^ B b. 

(To aid legibility in future we will drop the subscripts on the ^ relations where no confusion 
will arise.) 

It is clear that this definition makes (g) into a bifunctor on MonRelCoh and that the as- 
sociativity, symmetry and unit maps from MonRel are well-defined maps in MonRelCoh 
too. 

We now consider the exponentials. Let (A, ^a) be an object of MonRelCoh, and 
let (B,^-b) be a set equipped with a symmetric reflexive binary relation. In MonRel 
the exponential A — o B* is given by the free monoid over UA x B. We shall define a 
symmetric reflexive binary relation on this set and show that the object-space this defines 
is the required exponential in MonRelCoh. 

The coherence relation on UA x B echoes the definition of map in MonRelCoh: 
(a, b) (a', b') if and only if 

• a -—-A a! b b' 

• a ^a a! A b = b' a = a' . 

By Lemma [8 .21 maps from an object C into this object space are described by relations 
from UC toUAx B which satisfy the appropriate coherence constraints. That is, if cR(a, b) 
and c'R(a' , b') then we have 
. c^ cc > ( a ,b)^(a',b') 

• c c' A (a, b) = (a', b') => c = c'. 

On the other hand, maps from C ® A to B* are given by relations from UC x UA to 
B such that 

• c s-^c c' A a s-^a a' =>■ b b' 

• c c' A a s~^a o! A b = b' => a = a' A c = d . 

It is straightforward to verify that these are the same constraints, so that we have a 
natural bijection of homsets: 

MonRelCoh(C A, B*) = MonRelCoh(C, A -o B), 

as required. 

A similar argument shows that products in MonRel lift to MonRelCoh. For object- 
spaces, the construction is very straightforward: the product of object-spaces A* and B* is 
the object space over the disjoint union A + B, equipped with the coherence relation which 
relates elements of A if and only if they are related in the object space A*, and similarly 
for B, but also relates all elements of A to all elements of B. □ 
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MonRelCoh therefore possesses all the structure we require to model SCI. To lift our 
model to MonRelCoh we just need to give interpretations of the base types and constants. 
The base types are all interpreted using object spaces, with underlying coherence relations 
as follows: 

• for nat, n^-n' <^=> n = n' . 

• for comm, * *. 

• for var, write(n) ^write(n') for all n,n'; read(n) ^> read(n') -s=>- n = n'; and write(n) 
read(n') for all n,n'. Note that this makes var the product object-space of nat with 
w-many copies of comm. 

It is easy to check that the constant maps used in the denotations of SCI terms are maps of 
MonRelCoh over the appropriate types. The same applies to mkvar, but not to random: 
the map [random] clearly violates the coherence constraints since it returns incoherent 
outputs from coherent (empty) inputs. 

Theorem 8.4. The model of SCI mk in MonRel lifts to MonRelCoh. □ 

Corollary 8.5. If\- M : A is a closed term of SCI m k and a, a' £ [M] then a a'. (Here 
we blur the distinction between maps from the tensor unit into {AJ and subsets of {AJ .) □ 

Thus the model of SCI„± in MonRelCoh captures SCI^s deterministic nature: for 
instance, closed terms of type nat contain at most one natural number in their denotation. 

9. CONSERVATIVITY RESULTS 

In this section we show that the extensions of SCI with the mkvar and random operators 
are conservative, that is to say, they have no effect on the relation of contextual equivalence 
for terms of the original SCI language. This means that the new contexts available when 
the language is extended have no additional discriminating power, and as a result, the full 
abstraction theorem for 5C/ mkiran also applies to the smaller languages SCI^k and SCI. 
As explained in [13], this work shows that Reddy's object-spaces model [19] was the first 
example of a fully abstract semantics for a higher-order imperative language, though this 
was not known at the time. Its full abstraction is remarkable since it contains a great many 
undefinable elements. However, the definable elements do suffice to distinguish any two 
different elements of the model, and it is this which leads to full abstraction. 

Though we present our results in the form of conservativity theorems rather than direct 
full abstraction proofs, our arguments hinge on partial definability results which would be 
enough to establish full abstraction of the model for SCI and SCI m ^ directly, that is, 
without appealing to Theorem 17. 3} if desired. The proof of conservativity of mkvar in 
particular makes heavy use of our definability results, and is essentially the same as the 
direct proof of full abstraction given in [T3]. Nevertheless we believe that presenting the 
results as conservativity theorems is worthwhile, particularly in light of the relatively cheap 
proof of full abstraction for SCI^ Tail ,, and the limited use of definability in the proof of 
conservativity of random. 



30 



GUY MCCUSKER 



9.1. Definability. As explained above, our conservativity results are established by means 
of a partial definability result which demonstrates how certain elements of our model are 
found as the denotations of terms from SCI and its extensions. 

Let us first mention a curious fact. Let C[— ] be some context of SCI, so that in 
particular C[— ] does not employ mkvar. If 

C[±f \x = 3 then skip else divergeJJJ., 

then it is also the case that C[x := 3]JJ-. This inability of mkvar-free contexts to distinguish 
completely between reading and writing into variables is the main obstacle to overcome in 
our definability proof. The presence of mkvar makes quite a difference, since for example a 
context binding x to the term 

mkvar (Ay. diverge) (3) 

will make the first term above converge and the second diverge. This immediately tells us 
that the addition of mkvar is not conservative with respect to the contextual preorder. Our 
work in this section will show that it is conservative with respect to contextual equivalence; 
this came as a surprise. 

The following definition captures the relationship between sequences of observations 
which is at work in the above example. 

Definition For any SCI type A, we define the positive and negative read-write orders 
^ + and ^ between elements of \A] as follows. We give only the definitions for singleton 
elements; the definitions are extended to sequences by requiring that the elements of the 
sequences are related pointwise. 

• At type comm: 

* I< + * A * * 

• At type nat: 

n < + m n = m n m 

• At type var: 

a :<+ a' (a = a') V zsn.a = read(n) A a' = write(n) 

a a' a = a' 

• At type A -o B: 

(s,b) ^+ (s',V) <=> s^'s'Ab^+b' 
(s,b) rr (s',b') s^+s'Ab^-b' 

In general, s ^ + t iff t can be obtained from s by replacing some occurrences of read(n) 
actions in positive occurrences of the type var by the corresponding write(n) actions. The 
order is the same but operates on actions in negative occurrences of var. 

We are now in a position to state our definability result. 

Lemma 9.1. let A be any type of SCI and let a € [^4] be any element of the monoid 
interpreting A. There exists a term 

x : A h test(a) : comm 

of SCI (not including mkvar or randomj such that (s, *) € [test (a)] iff a s. There also 
exists a context T = x± : var, . . . ,x n : var, T-stores init(a) and final(a), and a term 

r h produce(a) : A 
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such that for all a' € {A} , 

(3s. (s, a') € [produce (a)] A init(a) final(a)) <^=> a ^ + a . 

Proof. We will prove the two parts of this lemma simultaneously by induction on the type 
A. First note that any a € \A] is a sequence of elements from a certain alphabet. Before 
beginning the main induction, we show that it suffices to consider the case when a is a 
singleton sequence. The cases when a is empty are trivial: test([]) = skip and produce([]) 
is any divergent term, with init([]) and f i na I ( [] ) both being the unique store on no variables. 
If a = [a±, ci2, • • • , a n ], then we can define test (a) as 

test([ai]) ; test([a 2 ]) ; . . . ; test([a„]). 

For the produce part, suppose that A = Ai — o Ai — o . . . — o Aj, — o B for some base type B, 
and that the context T contains all the variables needed to define the produce(aj). For any 
store a over variables x±, . . . , x n , define check(o") to be the term 

if (!a?i ^ o~(xi)) then diverge 
else if (!x2 ^ g(x2)) then diverge 

else if (\x n ^ cr(x n )) then diverge 
else skip 

Define set(cr) to be X\ := a(x±) ; • • • ; x n := a(x n ). 

An appropriate term produce(a) can then be defined as follows. 

r, x : var h Xyi Ai . x :=\x + 1; 

if (\x = 1) then produce(ai)yi . . . y\. 
else if (\x = 2) then check(final(ai)); 

set(init(a 2 )); 

produce(a 2 )yi ...yk 

else if (\x = n) then check(final(a ra _i)); 

set(init(a n )); 
produce(a n )yi ...y k 

else diverge 

The required initial state init(a) is (init(ai) | x ^ 0), and the final state final(a) is (final(a n ) | 

x i-> n). 

We now define test(o) and produce(a) for the case when a is a singleton, by induction 
on the structure of the type A. 
For the type comm, we define 

test(*) = x : comm h x : comm 

produce(*) = y : var h y : = \y + 1 : comm 

init(*) = (y i-> 0) 

final(*) = (y i-> 1) 

Note the way the initial and final states check that the command produce(*) is used exactly 
once. 
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The type nat is handled similarly: 

test(n) = x : nat h if (x = n) then skip else diverge : comm 
produce(n) = y : var h y :=\y + 1; n : nat 
init(n) = (y i-> 0) 
final(n) = (y i-> 1) 

For var, there are two kinds of action to consider: those for reading and those for 
writing. For writing we define: 

test(write(n)) = x : var \- x := n : comm 

produce(write(n)) = x : var, y : var h y :=!y + 1; a; : var 

init(write(n)) = (x >->• n + 1, y i-> 0) 

final(write(n)) = (x n, y 1) 

For produce(write(ra)), the variable y checks that exactly one use is made, and the variable 
x checks that the one use is a write-action assigning n to the variable. 
Reading is handled similarly: 

test(read(n)) = x : var h if (!x = n) then skip else diverge : comm 

produce(read(n)) = x : var, y : var h y :=!y + 1; x : var 

init(read(n)) = (x n, y 0) 

final(read(n)) = (x >->• n,y >->• 1) 

In init(read(n)), the variable x holds n so that if the expression produce(read(n)) is used for 
a read, the value n is returned. The variable x must also hold n finally, so produce(read(n)) 
cannot reach the state final(read(n)) if it is used to write a value other than n. However, it 
would admit a single write(n) action. This is the reason for introducing the ^ relation: if a 
term of our language can engage in a read(n) action, then it can also engage in write(n). 

For a function type i^B, the action we are dealing with has the form (s, b) where s 
is a sequence of actions from A and b is an action from B. We can now define 

test(s,6) = x : A -o B h new xi, . . . , x n in 

set(init(s)); 

(Ax B .test(6))(xproduce(s)); 
check(final(s)); 

produce(s, 6) = Ax" 4 . test (s); produce(6) 
init(s,6) = init(6) 
final(s,6) = final(6) 

where the variables used in produce(s). 

The non-interference between function and argument allows us to define these terms 
very simply: for test(s, b) we supply the function x with an argument which will produce 
the sequence s, and check that the output from x is b. We must also check that the function 
x uses its argument in the appropriate, s-producing way, which is done by means of the 
init(s) and final(s) states. For produce(s,6) we simply test that the argument x is capable 
of producing s, and then produce b. 

It is straightforward to check that these terms have the required properties. □ 
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9.2. Conservativity of random. 

Lemma 9.2 (random is conservative). Let V h M,N : A be terms of SCI m k such that 
M = mk N. Then M = mKraii N. 

Proof. It suffices to consider closed terms, because in all the language fragments we consider, 
open terms M and N are equivalent if and only if their closures Xx.M and Xx.N are 
equivalent. 

So, let h M,N : A, suppose M = mk N and let C[— ] be a context, possibly employing 
random, such that C[M] JJ-skip. We shall show that C[iV] JJ-skip by induction on the number 
of occurrences of random in C[— ]. 

The base case, where C[— ] does not employ random at all, is trivial: C[— ] is a SCI m ^ 
context, so since M = m k N, we have C[N] JJ- skip. 

For the inductive step, let C'\— ] be the context obtained from C[— ] by replacing one 
occurrence of random with a fresh variable r of type nat. Then for any term P, C[P] JJ- skip 
if and only if (Xr.C'[P]) (random) JJ, skip. 

Since (Ar.C[M])(random) Jj skip, Corollary 16.21 implies that 

(e,*) G [(Ar.C"[M])(random)]. 

By definition of [random] and the semantics of application, there must exist a sequence s 
of natural numbers such that (s, *) € [Ar.C"[Af]]. 
By Lemma 19.14 there is a term 

x : nat — > comm h test : comm 

not involving random, such that (t, *) € [test| iff t = (s, *). 

We therefore have (e, *) € [(Ax.test)(Ar.C"[M])] and hence by CorollaryEjZl (Xx.test)(\r.C'[M])ty 
skip. But (Ax.test)(Ar.C"[— ]) is a context involving the same number of occurrences of 
random as does C'[— ], so by inductive hypothesis we also have (Ax.test)(Ar.C"[./V]) 1J- skip. 
Therefore (e, *) G {(Xx.test}(\r.C'[N])j, which is only possible if (s,*) € {Xr.C'[N]j. But 
then 

(e,*) G [(Ar.C"[A^])(random)] 
and hence by Corollary 16.21 again. (Xr.C'[N]) (random) J|skip. Finally we can conclude that 
C[N] JJ. skip as required. □ 

Corollary 9.3. The model of SCI^ in MonRel is fully abstract. □ 

9.3. Conservativity of mkvar. 

Lemma 9.4. Let A* be an object-space interpreting a type of SCI in MonRelCoh and 

let a, a' G A*. 

• If a a ' and a ^ a' then a = a! . 

• If a ^ + of then a ^ a! . 

Proof. By induction on type. We consider only the cases of singleton sequences; the general 
cases follow easily. 

For comm and nat, both <~ and ^ + are the identity relations, so the results hold 
trivially. For var, -<~ is again the identity relation completing this case. For the result 
follows from the fact that read(n) ^write(n). 
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For the inductive step, consider elements (s, b) and (s', b') of A — o B. If (s, b) -<~ (s' , b') 
then s ^ + s' and 6 <~ b' . By the inductive hypothesis on type A, s ^s' so if (s, b) (s', b') 
then we also have b ^ b'. The inductive hypothesis on B then gives us b = b' and hence 
s = s' as required. If (s, 6) ^ + (s', 6') then s <~ s' and 6 ^ + b' . Then if s^s', the inductive 
hypothesis gives us s = s'. Induction also tells us that b ^ b' , and hence (s, 6) ^ (s', 6') as 
required. □ 

Lemma 9.5 (mkvar is conservative). Let T h M,N : ^4 6e terms of SCI such that M = N. 
Then M = mk TV. 

Proof. As in Lemma 19.21 we consider only closed terms. Suppose h M,N : A with M = N 
and let (e, a) € [M] be any element of the denotation of M. By Lemma 19 . 1 1 there is a term 
x : A h test(a) : comm such that (a', *) € [test(a)J if and only if a <~ a' . We therefore have 
(e, *) G |(Ax.test(a))M], and hence (Xx.test(a))M JJ. skip by Corollary 14.21 By hypothesis 
we have (Ax. test(a))iV JJ. skip, so that (e, *) G [(Ax.test(a))A^J. Therefore there is some a' 
such that a a' and (e, a') G \N\. Symmetrically we can find a" such that a' a" and 
(s,a")e{Mj. 

By Corollary 18.51 a ^ a" and then by Lemma 19.41 a = a" and hence a = a'. It follows 
that [M] = {Nj and hence M ^ mk N by Theorem E3 □ 

Corollary 9.6. The model of SCI in MonRel is fully abstract. □ 

We remark that Reddy was not aware that his model was fully abstract; indeed it was 
believed not to be. 



10. Conclusions 

We have shown that a simple amendment of Scott's Vu> graph- model gives rise to a model 
of imperative computation, in the event-based style of Reddy's object-spaces model and 
later models based on game semantics. Moreover we have shown that this model contains a 
universal type, thus yielding a very cheap proof of full abstraction for the language SCI„± :Tan . 
With some additional work we have established full abstraction for the original SCI language 
via conservativity results; this was not known prior to our work. 

We believe that the general approach of constructing models in this way is of interest 
and has the potential to give rise to a range of interesting concrete models and some useful 
insights at a more abstract level. We intend to develop an axiomatic presentation of our 
constructions, expanding on the work of Hyland et al. [7]. At present it is not clear whether 
the more refined game-based models can be presented in this style; this remains a topic for 
further investigation. 
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